Why Password Managers Are Great Until You Lose Your Password
Commentary: Don't lose your password manager password like I did.
Scott SteinEditor at Large
I started with CNET reviewing laptops in 2009. Now I explore wearable tech, VR/AR, tablets, gaming and future/emerging trends in our changing world. Other obsessions include magic, immersive theater, puzzles, board games, cooking, improv and the New York Jets. My background includes an MFA in theater which I apply to thinking about immersive experiences of the future.
ExpertiseVR and AR, gaming, metaverse technologies, wearable tech, tabletsCredentials
Nearly 20 years writing about tech, and over a decade reviewing wearable tech, VR, and AR products and apps
Editor's note, May 4, 2022: This commentary originally ran in March 2020. We're rerunning it today in honor of World Password Day. If you still aren't using a password manager, CNET recommends Bitwarden. Original story follows.
I did something really stupid with some of the most important data in my life two years ago. And I don't know how I did it.
I took the basic security advice: use a password manager and then have it create different passwords for each site. I chose the 1Password password manager and after installing it, upgraded to a subscription so I could access my passwords across multiple devices.
Then came the weekend that I tried logging into the app and found my password wasn't working.
I typed it in a few times. Slowly. Then with cut and paste. Nothing registered. It had been working smoothly with my iPhone's Face ID to unlock access to my passwords, but that stopped working after a phone reboot. And I realized suddenly that the master password being asked for wasn't the same as the password I had been using previously, before I added the subscription. Bewildering? Yes. My fault? Absolutely. Can I explain how I entered this fugue state of password confusion? Not at all.
At some point I fumbled my passwords. I have mismanaged my supposedly careful management of my passwords. I feel like I'm in an utter nightmare.
This could happen to you. I hope it doesn't.
My problem is partly a consequence of today's need for an endless supply of secure passwords. Ideally, you should be creating so many unique, complicated passwords that a password manager is the only safe direction. But then, of course, you need a password for that password manager. Once your passwords become sufficiently complicated, you won't really know what the passwords are unless you're writing them down. Which I was. In a password manager.
At the time, 1Password customer service asked me if I had my "emergency kit," a record of my master password and secret key, a code the company gives you when you sign up for a subscription. You aren't supposed to share this information with anyone, and 1Password doesn't have it.
1Password employs these precautions for security. To be clear, I'm meant to safely print or store my 1Password secret key -- a code used to set up 1Password on new devices -- and master password somewhere where I can access them. "The master password would have been chosen by you, when you were creating your account," 1Password's customer support reminded me in an email. When I contacted a company spokesperson, I got the same message.
Did I lose that emergency kit? Did I never download it? What is wrong with me? How did this happen? I wish I could tell you. It's stunning that I simply don't know. Maybe it's because I was panicking when I signed up for the subscription in the first place, late last year. Maybe I skipped a download button. I can't say. And that's the most disturbing part. I feel like an absolute idiot. Also, I'm filled with existential dread now. Many passwords are locked up in there, but I don't remember which. Why didn't I keep a backup record on paper?
I discovered some of my passwords via a separate cloud-synced 1Password vault I'd forgotten that I had. I recovered those when I tried installing the app on another device. But I didn't recover passwords I'd added after updating to the 1Password subscription. 1Password's customer service was able to tell me I had added nine new passwords, but couldn't tell me which accounts they were for.
If you lose the password to your password manager, the password manager customer service can't do anything for you. My only recourse is to wipe everything and start over.
I hyperventilated all day. Then, I went to get my hair cut.
Take it from me... actually, don't
I asked my barber if he used a password manager. He doesn't. I asked if he used two-factor authentication. He doesn't. I was going to offer him advice… but, well, look at me. Locked out of my passwords. I locked away my keys and threw away the key.
Face ID did nothing for me, because 1Password requires you to reauthenticate with your master password when you reboot your iPhone. No other options were left. I began to realize I should have been writing down backup passwords all along. I started doing that, frantically, with the ones I still knew.
I wish there were some magical way I could recover my 1Password password. Through my biometrics. Through a special emergency physical key fob. By presenting myself at a 1Password office and taking a blood test and somehow proving I deserved a second chance. But because of the way strong encryption works, nobody has a backup route into my password archive.
If there's one silver lining to my scatter-brained situation, it's that I've squirreled away some passwords on other managers and in a couple of password-protected documents over the years, like a weird password hoarder. That's made my password manager disaster less nauseating.
But please, don't lose the password to your password manager. Set it up when you aren't distracted and, if you're using 1Password, make sure you save that emergency kit with the master password and security key.
Don't be me
I feel shredded. Maybe you're smarter than me. But passwords managing passwords, while a necessary evil, means brain-frying complexity. I can't imagine a real-world vault where you'd keep your most important things but then make access contingent on one single key that no one else is allowed to have. But hey, here we are.
Before this, I loved using password managers. They're great. They help keep things organized. They remind you to use complex passwords. They can autofill account passwords on websites and in apps. I'll keep using a password manager, because I can't see any better solution to the password nightmare we've all gotten tangled up in. And since this happened, I've tried to be a lot better about keeping myself better organized. But still, even now, I wish there were even better solutions.
I still feel like, even with what I've learned, I have waves of uneasiness. While efforts are being made to find a future beyond passwords, I still need them. And I still need to manage them...and do a better job at it.
Strings of characters extended to infinity and an unending fear of how to protect them feels like a world of madness as it is. Password managers are a life raft. An imperfect life raft, but they're all I've got.
They're great. Until you lose your password manager password.